cisco 800 series access lists denying legitimate traffic

I have an issue that appears to be acl related that I need your help with

this 800 series router provides internet access via 3G, which works for most clients, but for others sh log displays the following:
%SEC-6-IPACCESSLOGP: list 104 denied udp 172.17.0.110(3072) -> 194.72.6.57(53), 1 packetsh run

I do not know on what basis selectively dns is denied to that public dns server, but can you please suggest how can this be fixed as well as if the acl are placed on right interfaces and direction.

presently there are two ACLs applied on vlan 1 and dialer 1 as below:

interface Vlan1
 ip access-group 103 in
access-list 103 remark ---- inside-to-outside acl -----

interface Dialer1
 ip access-group 104 in
access-list 104 remark ----- outside-to-inside acl -----
881G-site1#sh run
Building configuration...

Current configuration : 11057 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 881G-site1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$fE5J$bDlgP/oAshf8x1.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone London 0
!
crypto pki trustpoint TP-self-signed-2753447616
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2753447616
 revocation-check none
 rsakeypair TP-self-signed-2753447616
!
!
crypto pki certificate chain TP-self-signed-2753447616
 certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32373533 34343736 3136301E 170D3131 31323137 31333534 
  34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37353334 
  34373631 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100AF3C 9CE7A28A 7DB97D7F F64FEEF0 1617A8F6 B91D2258 4499EE65 E236B6A5 
  E1E93477 50DA1E28 77BBA47E ED131A2A A7EDC9F2 2BCA6337 A38B4A46 9ECE0314 
  6C0956BD 464F5938 5AD53316 807D8202 0C3FA6E2 F74CC0D1 43B8DB20 D13EB9CD 
  F29B077B 84D3C20A 4D4F4EA4 43A7B890 55F1C7AB F8FD510F B5E309D9 183F3691 
  7B1B0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603 
  551D1104 0E300C82 0A383831 472D7369 74653130 1F060355 1D230418 30168014 
  BD2593F1 830620E0 55436266 4F47EA83 11EBAC8D 301D0603 551D0E04 160414BD 
  2593F183 0620E055 4362664F 47EA8311 EBAC8D30 0D06092A 864886F7 0D010104 
  05000381 81000AE0 2BB60FB5 0F4F1B38 27E7DC48 6AF35CF1 91DC8224 B42551DA 
  A3F01EA1 A805F94C C4C1D4F2 ADB5F76E 27BCF9C6 614E2E3D 52EA1CE2 E13328DE 
  11B737BD F4EBE841 40EA13F5 9F39CA57 A200CB54 50FCB9AB ABE07839 6A7C28A0 
  53BE4E41 B745CABC DC58583E CF62C716 E477A7E4 6DEF0F80 008649DF B8562770 
  32ADEF64 EF36
        quit
no ip source-route
ip dhcp excluded-address 172.17.0.1 172.17.0.99
ip dhcp excluded-address 172.17.0.200 172.17.0.254
!
ip dhcp pool dhcp-pool1
   import all
   network 172.17.0.0 255.255.255.0
   dns-server 194.72.6.57 
   default-router 172.17.0.1 
!         
!
ip cef
no ip bootp server
ip name-server 194.72.6.57
ip ddns update method myupdate
 HTTP
  add http://ddns:FJgh$@members.dyndns.org/nic/update?hostname=<h>&myip=<a>
  remove http://ddns:FJgh$@members.dyndns.org/nic/update?hostname=<h>&myip=<a>
 interval maximum 0 0 30 0
 interval minimum 0 0 10 0
!
ip dhcp-client default-router distance 5
!
!
chat-script cdma "" "ATDT*98*1#" TIMEOUT 60 "CONNECT"
!
!
username u881g privilege 15 secret 5 $1$yOPhXbObuAJy/
! 
!
!         
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 123 ip sla 1 reachability
 delay down 15 up 10
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!         
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 description $FW_OUTSIDE$
 ip dhcp client route track 123
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Cellular0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer in-band
 dialer pool-member 1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 172.17.0.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip tcp adjust-mss 1452
!
interface Dialer1
 description $FW_OUTSIDE$
 ip dhcp client update dns server both
 ip ddns update hostname 881G-site1.dyndns.org
 ip ddns update myupdate
 ip address negotiated
 ip access-group 104 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer string cdma
 dialer persistent
 no cdp enable
 ppp chap hostname web
 ppp chap password 7 111E1C07
 ppp ipcp dns request
!
ip local policy route-map MY-LOCAL-POLICY
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 100
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map dhcp-nat interface FastEthernet4 overload
ip nat inside source route-map fixed-nat interface Dialer1 overload
!
ip sla 1
 icmp-echo 4.2.2.2 source-interface FastEthernet4
 threshold 40
ip sla schedule 1 life forever start-time now
logging trap debugging
access-list 10 permit 172.17.0.0 0.0.0.255
access-list 23 permit 172.17.0.0 0.0.0.255
access-list 100 deny   ip 172.17.0.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 deny   ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny   ip 172.17.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 deny   ip 172.17.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 100 permit ip 172.17.0.0 0.0.0.255 any
access-list 102 permit icmp any host 4.2.2.2 echo
access-list 103 remark ---- inside-to-outside acl -----
access-list 103 remark ----- Permit DHCP -----
access-list 103 permit udp any eq bootpc any eq bootps log
access-list 103 permit udp any eq bootps any eq bootps log
access-list 103 permit udp any eq bootps any eq bootpc log
access-list 103 remark ---- Deny Kazaa and Fastrack clones ----
access-list 103 deny   tcp any any eq 1214 log
access-list 103 remark ---- Deny eDonkey and clones -----
access-list 103 deny   tcp any any range 4661 4672 log
access-list 103 deny   udp any any range 4661 4672 log
access-list 103 remark ----- Deny WinMX and Napster -----
access-list 103 deny   tcp any any eq 6257 log
access-list 103 deny   udp any any eq 6257 log
access-list 103 deny   tcp any any eq 6699 log
access-list 103 deny   udp any any eq 6699 log
access-list 103 remark ----- Deny Bittorrent -----
access-list 103 deny   tcp any any range 6881 6889 log
access-list 103 deny   udp any any range 6881 6889 log
access-list 103 remark ----- Deny Gnutella -----
access-list 103 deny   tcp any any eq 6346 log
access-list 103 deny   udp any any eq 6346 log
access-list 103 deny   tcp any any eq 6347 log
access-list 103 deny   udp any any eq 6347 log
access-list 103 remark ----- Local Eset firewall will also apply ----
access-list 103 remark ----- Permit 172.17.0.x to internet -----
access-list 103 permit ip 172.17.0.0 0.0.0.255 any
access-list 103 remark ----- Deny everything else -----
access-list 103 deny   ip any any log
access-list 104 remark ----- outside-to-inside acl -----
access-list 104 remark CCP_ACL Category=17
access-list 104 remark Auto generated by CCP for NTP (123) 3.uk.pool.ntp.org
access-list 104 permit udp host 85.119.80.233 eq ntp any eq ntp
access-list 104 remark Auto generated by CCP for NTP (123) 2.uk.pool.ntp.org
access-list 104 permit udp host 84.45.97.44 eq ntp any eq ntp
access-list 104 remark Auto generated by CCP for NTP (123) 1.uk.pool.ntp.org
access-list 104 permit udp host 62.84.188.34 eq ntp any eq ntp
access-list 104 remark Auto generated by CCP for NTP (123) 0.uk.pool.ntp.org
access-list 104 permit udp host 217.114.63.174 eq ntp any eq ntp
access-list 104 permit udp host 10.30.0.1 eq domain any
access-list 104 permit udp host 194.72.6.57 eq domain any
access-list 104 remark ----- permit DNS replies -----
access-list 104 permit udp any eq domain any
access-list 104 remark ----- Permit ICMP -----
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit icmp any any packet-too-big
access-list 104 remark ----- Permit established connections -----
access-list 104 permit tcp any any established
access-list 104 remark ----- Deny everything else -----
access-list 104 deny   ip any any log
no cdp run
!
route-map fixed-nat permit 10
 match ip address 100
 match interface Dialer1
!
route-map dhcp-nat permit 10
 match ip address 10
 match interface FastEthernet4
!
route-map MY-LOCAL-POLICY permit 10
 match ip address 102
 set ip next-hop dynamic dhcp
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line 3
 script dialer cdma
 modem InOut
 no exec
 transport input all
line vty 0 4
 access-class 23 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

ee-gdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
What doesn't make any sense to me is why you have traffic from 172.17.0.110 coming in on the Dialer 1 interface.
0
ee-gdAuthor Commented:
i have no idea - the device using that IP is connected via cable to interface FastEthernet0
0
Don JohnstonInstructorCommented:
Here's a question: Can the 172.17.0.110 device resolve domain names?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ee-gdAuthor Commented:
no
0
Don JohnstonInstructorCommented:
But other devices on the 172.17.0.0/24 network can?
0
ee-gdAuthor Commented:
yes, this is the only one that seems to be blocked...

from .100 to .114 are all assigned from the dhcp pool and can access the internet
0
Don JohnstonInstructorCommented:
It simply doesn't make any sense. There's nothing in the ACL specific to that device.

If it were me, I would first double check the basics. Make sure the address, mask, default-gateway are correct. Check the DHCP bindings and verify that the address was assigned, etc.

Then, I'd put a protocol analyzer on that device, open up the access-list and see if I could figure out the traffic flow.

If the protocol analyzer is not an option, I would start adding permits (before the deny any any) to determine what would allow it to work. For example add a "permit udp host 172.17.0.110 host 194.72.6.57 eq domain log" and see if it starts working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.